In a sophisticated operation spanning just 13 hours, a single Ethereum address drained funds from more than 570 wallets, making off with approximately 326 ETH worth around $760,000—as per onchain data from Etherscan.
The incident, which unfolded between April 29 and 30, 2026, has raised fresh concerns about the long-term security of self-custodied crypto assets, particularly older wallets.
The exploiter address, flagged as Fake_Phishing2831105 on Etherscan, consolidated the stolen ETH before bridging the bulk of it, roughly 324.74 ETH, through THORChain into Bitcoin and Monero, effectively laundering the funds across chains.
Rapid sweep target mixed wallets
The attack stood out for its speed and selectivity. At its peak, the drainer emptied 244 wallets in a single hour. What puzzled observers was the victim profile. While some wallets had sat dormant for over eight years, others had shown recent activity. A handful had never sent any outgoing transactions at all.
Unlike typical “drainer-as-a-service” scams that rely on tricked approvals for ERC-20 tokens, this operation pulled almost exclusively native ETH. That signature strongly suggests the attacker possessed the private keys, allowing them to sign transactions directly from the victims’ wallets without any user interaction or malicious smart contract.
As of now, no widespread phishing campaign or compromised decentralized application has been linked to the incident. Many victims reportedly discovered the losses only after checking their balances, with little to no warning.
Private key compromises likely culprit
Analysts point to leaked credentials as the most plausible explanation. The 2022 LastPass breach, in which encrypted password vaults were stolen, remains a prime suspect. Security researchers have previously tied similar unattributed thefts to offline cracking of those vaults, a process that improves with time and computing power.
Other potential vectors include compromised wallet software, trading bots that require users to input private keys, or supply-chain attacks on development libraries. The mixed age of the drained wallets supports the idea of an aggregated list drawn from multiple historical leaks.
After the final drain around 12:39 UTC on April 30, they waited several hours before testing small transfers, then executed the large bridge in one transaction. This level of operational discipline is typical of experienced on-chain criminals.
Broader implications for crypto security
The incident serves as a stark reminder that “cold” wallets are not immune to risk if their keys were ever exposed. Forgotten wallets from the ICO era or early DeFi days can become liabilities years later if seeds or private keys were stored insecurely.
Security professionals recommend generating fresh wallets on hardware devices for any remaining funds and avoiding reuse of older seed phrases.
As of now, there is no indication of a flaw in Ethereum’s core protocol. The blockchain simply processed validly signed transactions. The vulnerability lies in the persistent human and infrastructure weaknesses that continue to expose keys long after initial compromises.
This event adds to a growing list of private-key-based thefts that highlight the permanent nature of blockchain transactions: once keys are lost, recovery options are nonexistent. For now, the attacker remains unidentified, and the full scope of compromised credentials may never be publicly known.
This is a developing story. More information will be updated as the event unfolds.
Also read: Carrot Becomes First DeFi Casualty of $285M Drift Exploit
